This week, there has been a lot of news about attempted state-sponsored hacking and influence campaigns. We wanted to provide an update on some of our ongoing work in this area:

State-sponsored phishing attacks

Technical attribution of a recently-reported influence campaign from Iran

Detection and termination of activity on Google properties

State-sponsored phishing attacks

Phishing—attempts to trick users into providing a password that an attacker can use to sign into an account—remains a threat to all email users. Our ​improving ​technology has enabled ​us to ​significantly ​decrease ​the ​volume of ​phishing ​emails that ​get ​through to our users. ​Automated ​protections, ​account ​security ​(like ​security ​keys), ​and specialized ​warnings give ​Gmail users industry-leading ​security. As part of our security efforts, for the past eight years, we’ve displayed prominent warnings to Gmail users who are at risk of phishing by potentially state-sponsored actors (even though in most cases the specific phishing attempt never reaches the user’s inbox).

In recent months, we’ve detected and blocked attempts by state-sponsored actors in various countries to target political campaigns, journalists, activists, and academics located around the world. When we’ve seen these types of attacks, we’ve notified users as well as law enforcement.

On Monday morning, we issued our most recent series of notifications to Gmail users who were subject to suspicious emails from a wide range of countries. We posted about these sorts of warnings here—if you received this type of warning, please read the blog post and take action immediately.

Iran and FireEye

To complement the work of our internal teams, we engage FireEye, a leading cybersecurity group, and other top security consultants, to provide us with intelligence. For the last two months, Google and Jigsaw have worked closely with FireEye on the influence operation linked to Iran that FireEye identified this week. We’re grateful to FireEye for identifying some suspicious Google accounts (three email accounts, three YouTube channels, and three Google+ accounts), which we swiftly disabled. FireEye’s full report has just been published today. It’s worth reading.

In addition to the intelligence we received from FireEye, our teams have investigated a broader range of suspicious actors linked to Iran who have engaged in this effort. We’ve updated U.S. lawmakers and law enforcement about the results of our investigation, including its relation to political content in the United States. We wanted to provide a summary of what we told them.

Connections to IRIB: forensic evidence

Our technical research has identified evidence that these actors are associated with the IRIB, the Islamic Republic of Iran Broadcasting.

We can’t go into all the technical details without giving away information that would be helpful to others seeking to abuse our platforms, but we have observed the following:

Technical data associated with these actors is strongly linked to the official IRIB IP address space.

Domain ownership information about these actors is strongly linked to IRIB account information.

Account metadata and subscriber information associated with these actors is strongly linked to the corresponding information associated with the IRIB, indicating common ownership and control.

These facts, taken together with other technical signals and analysis, indicate that this effort was carried out as part of the overall operations of the IRIB organization, since at least January 2017. This finding is consistent with internet activity we’ve warned about in recent years from Iran.

We’ve regularly sent warnings to Gmail users about phishing attempts coming from Iran (including on Monday).

Detecting and terminating activity on Google properties

Actors engaged in this type of influence operation violate our policies, and we swiftly remove such content from our services and terminate these actors’ accounts. Additionally, we use a number of robust methods, including IP blocking, to prevent individuals or entities in Iran from opening advertising accounts.

We identified and terminated a number of accounts linked to the IRIB organization that disguised their connection to this effort, including while sharing English-language political content in the U.S.:

39 YouTube channels that had 13,466 total US views on relevant videos;

6 blogs on Blogger

13 Google+ accounts

Our investigations on these topics are ongoing and we will continue to share our findings with law enforcement and other relevant government entities in the U.S. and elsewhere, as well as with others in the industry.

The state-sponsored phishing attacks, and the actors associated with the IRIB that we’ve described above, are clearly not the only state-sponsored actors at work on the Internet. For example, last year we disclosed information about actors linked to the Internet Research Agency (IRA). Since then, we have continued to monitor our systems, and broadened the range of IRA-related actors against whom we’ve taken action. Specifically, we’ve detected and removed 42 YouTube channels, which had 58 English-language political videos (these videos had a total of fewer than 1,800 U.S. views). We’ve also identified and terminated the account associated with one blog on Blogger.

* Since our last update in August, we have identified and terminated a limited number of accounts linked to coordinated influence operations, including while sharing English-language political content in the U.S.:

With respect to Iran-linked operations: 6 G+ pages; 1 Blogger blog; and 34 YouTube channels that had 20,794 total US views on English-language political videos.

With respect to Russia-linked operations: 1 YouTube channel linked to the Internet Research Agency, which had only a single English-language political video with 94 US views.

We will continue to deal with attempts to abuse our systems by identifying bad actors, terminating their accounts, and sharing relevant information with Congress and law enforcement.

*As of November 20, 2018, we've revised this post with updates since August 23, 2018, the post's original publication date.